Cyber Threat Intelligence and security level maintenance: an essential combination
The internet, system networks and information systems have become a real battleground, with every operator having to tackle rapidly growing and progressive cyber threats in a context where attackers have a clear advantage over defenders.
In the best-case scenario, an information system will be implemented alongside a set of actions that will have allowed an assessment of the current security level. This assessment will confirm that the security level is adequate in relation to the associated risks.
However, if no action is taken once the information system has been implemented, then the discovery of new vulnerabilities connected to the software components being used, as well as the appearance of new malware flooding the networks, will quickly and massively degrade the information system’s security level.
Then, how can we ensure that the information system receives maximum protection, meets its security requirements and its own threats in order to maintain its level of security after implementation?
Security level maintenance (SLM): the first step towards active anticipation
The key point here is active anticipation, which allows the duration of any given security level to be maintained. Anticipation is absolutely vital for any operator wanting to maintain optimal security levels.
The first brick in the active anticipation process is security level maintenance (SLM). Its objective is to ensure the security level of a given system or project across each stage of its lifecycle, through well-controlled, maintained management of the risks associated with software vulnerabilities. In France, SLM is essential to the State’s information systems security policy (PSSIE), which sets out the protective rules applied to the State’s information systems. But how does SLM work?
To meet its objective, SLM will lists and aggregate all the vulnerabilities published by software providers and security researchers, so as to offer protective measures.
Once a new vulnerability has been detected, analysts will acknowledge it to determine whether the information system or project being monitored has been impacted and, if so, to what extent. Next, SLM assigns a severity rating according to the Common Vulnerability Scoring System (CVSS) which is broken down into three metrics:
- The “base” metric which describes the overall severity of the vulnerability.
- The “temporal” metric, which acknowledges the existence of a remediation solution and a publicly available tool for exploiting the vulnerability.
- The “environmental” metric, which assesses the severity of a vulnerability in the context specific to the information system. This score will differ from one organisation to another.
SLM teams can write an attack scenario and, if possible, present a remediation or counter solution to the vulnerability.
SLM in the WannaCry attack
WannaCry is a good example to illustrate the benefits of “anticipatory” methods. The ransomware used in the global cyberattack in 2017 relied on Microsoft’s now obsolete operating system, Windows XP.
58 days before the attack, Microsoft published a security notice. The next day, an SLM team sent an initial security notice to users affected by the vulnerability, specifying that this was a highly critical vulnerability and therefore required urgent monitoring.
Five days later, an SLM team sent the different corrective procedures which needed to be applied to their systems (depending on the versions used by each client) to the SLM service clients.
On 15 April 2017 – one month later – an exploit (a vulnerability exploitation tool) went public. The tool was the work of “The Shadow Brokers”, a group of hackers connected to the NSA (National Security Agency). The following day, the exploit was analysed and SLM teams warned affected users, strongly advising them to correct the vulnerability.
Then, on 12 May 2017, the global attack hit. SLM teams were mobilised and warned all affected users, letting them know that an attack was imminent. Just a few minutes later, the security notice was changed and the severity level was raised to critical.
In the WannaCry case, SLM teams enabled IT Managers to prepare for the attack, to react quickly and to avoid a crisis situation.
The addition of Cyber Threat Intelligence – information relating to the usage context of the vulnerability – would have enabled trends to be identified so as to better anticipate and defend against such an attack.
In 2019, the digital battle between attackers and defenders continues to evolve, making knowledge of its context essential.
Cyber threats: contextualise to anticipate
Now, active anticipation of cyber threats and exploitable vulnerabilities in a specific context is crucial for being able to respond to cyber risks efficiently.
Knowing the different cyber threats entirely and also knowing how to qualify them in the context specific to the information system at risk is absolutely vital: at present, this is one of the main limits of SLM but new service offers bringing CTI and SLM together are now responding to this issue.
From now on, it is important to flesh out the description of these vulnerabilities using an analysis with as much context as possible. The objective? To offer a more complete service with decision-making assistance.
What does Cyber Threat Intelligence offer to SLM?
As an intelligence-based discipline, CTI allows data connected to cyberattacks, cyber attackers, their motivations, intentions and methods to be collected and organised.
Using this data, certain factors appear to be necessary for SLM analyses. For instance, location is an interesting contextual element: a vulnerability exploited in Asia is contextually less critical for European clients, for example.
As such, the knowing the following components is important for SLM analyses:
- Where in the world has the vulnerability been exploited
- The group of attackers using the vulnerability
- The sectors affected by the vulnerability being used
- Geographical locations affected by the vulnerability being used
- Attack patterns using the vulnerability
When confronted with the elements given by the user, all these components allow the previous score to be re-evaluated and vulnerabilities to be better classified, allowing users to know which one they are most likely to be affected by. This is a decision-making assistance tool.
Cyber Threat Intelligence services available on the market offer services which can be exploited by SOCs (Security Operations Centres) and CERTs. Until now, IT Managers had no clear connection between CTI service offers available on the market and Vulnerability Management tools. By linking SLM and CTI, from now on IT Managers can optimise the way they deal with cyber threats.